Estimated reading time: 8 minutes
At $100 per user per month, most Christchurch managed IT providers are selling you a toolset, not a service. You get endpoint monitoring, basic antivirus, some form of cloud backup, and a helpdesk to call when something breaks. What you do not get is the labour behind those tools: the people reviewing alerts, tuning policies, running compliance checks, and actively managing your security posture. That labour is the expensive part, and it is the first thing cheap providers cut. You will never know it is missing until you have a breach.
What $100 Per User Actually Buys
At this price point, a provider is covering the cost of software licences, a basic remote monitoring and management (RMM) platform, and enough helpdesk time to handle break-fix requests. That is IT support. It is not cybersecurity. It is not governance. It is not proactive management.
For context, our support-only service sits between $99 – $154 per user per month. Our cybersecurity service is an additional layer starting at $70 per user. These are separate line items for a reason: they represent separate teams, separate tooling, and separate labour. Any provider claiming to deliver both for $100 to $120 total is either operating at a loss or, far more likely, not doing the work.
The Missing Labour Problem
Security tools without skilled people behind them are just dashboards nobody reads. A security operations centre is not a product you install. It requires analysts reviewing alerts, investigating anomalies, tuning detection rules, and responding to incidents in real time. That costs money.
When a provider bundles “cybersecurity” into a $100 per user agreement, ask yourself: who is watching the alerts at 2am? Who is reviewing your compliance posture quarterly? Who is running simulated phishing campaigns and acting on the results? Who is maintaining your incident response plan?
The honest answer with most budget providers is nobody. The tools are deployed. The dashboards exist. But the labour to make those tools effective has been stripped out to hit the price point.
This is not a criticism of smaller providers trying to compete. It is a statement of economics. A qualified cybersecurity analyst in New Zealand costs $85,000 to $120,000 per year before overheads. That cost has to be recovered somewhere. If it is not in the price, it is not in the service.
IT Support Is Not Cybersecurity
One of the most damaging assumptions in the SME market is that IT support and cybersecurity are the same thing. They are not.
IT support keeps your systems running. It handles password resets, printer issues, software installs, and connectivity problems. It is reactive by nature and measured by response time and resolution speed.
Cybersecurity is a fundamentally different discipline. It is proactive, risk-based, and built on continuous monitoring, threat detection, incident response, and compliance frameworks. It requires different tools, different skills, and different operational processes.
When a provider packages both into a single low per-user fee, they are almost certainly delivering IT support with a few security tools bolted on. That is not a managed security service. That is antivirus with a helpdesk number.
Why We Align Our Clients to SMB1001
The problem with vague “cybersecurity included” claims is that there is no way for the client to verify what they are actually getting. That is why we align every client to the SMB1001 cybersecurity certification framework.
SMB1001 provides a tiered, independently verifiable standard (Bronze through Diamond) with specific controls at each level. When we say a client is operating at Silver tier, that means a defined set of controls are implemented, documented, and auditable. There is no ambiguity.
This matters because it shifts the conversation from “trust us, we have you covered” to “here are the specific controls in place, here is the evidence, and here is the certification to prove it.” It gives business owners a concrete benchmark rather than a vague promise.
Most providers offering cybersecurity at $100 per user cannot tell you which controls are in place, which are missing, or where the gaps sit. They certainly cannot point to a recognised framework and show you where your business lands against it. That gap between perception and reality is where breaches live.
ISO 27001-Backed, Not Just Tools
Our service operates under an ISO 27001 certified information security management system. That certification is not cosmetic. It means our internal processes, our handling of client data, our backup and recovery procedures, and our incident response workflows are independently audited and held to an international standard.
When you engage a provider at $100 per user, ask whether their own operations are ISO 27001 certified. Ask whether they hold ISO 42001 for AI governance. The answer tells you whether they are managing your security with rigour or just reselling tools and hoping nothing goes wrong.
The distinction matters more than most business owners realise. A provider without structured internal governance is asking you to trust that their ad-hoc processes will hold up under pressure. History repeatedly shows they do not.
What Happens When Cheap Fails
The true cost of a budget IT provider reveals itself during a cyber incident. When ransomware encrypts your file server at 6pm on a Friday, the provider’s response capability is tested in real time. If the labour was never there, neither is the response.
Common outcomes we see when businesses come to us after a breach with a budget provider:
- No documented incident response plan existed, so the first hours were spent figuring out what to do rather than executing a playbook.
- Backups existed but had never been tested. Recovery failed or took days instead of hours.
- No forensic capability meant the business could not determine what data was compromised, making Privacy Act notification obligations impossible to meet accurately.
- No relationship with a cyber insurance broker or insurer, and no evidence of controls to support a claim.
Every one of these failures traces back to the same root cause: the backend work was not being done because the price did not allow for it.
What the Real Cost Breakdown Looks Like
For a Christchurch business with 25 users, here is what genuine managed IT and cybersecurity actually costs when delivered properly:
| Component | Per User/Month | 25 Users/Month |
|---|---|---|
| Managed IT support (helpdesk, monitoring, patching, vendor management) | ~$154 | ~$3,850 |
| Cybersecurity (EDR, SOC monitoring, compliance, awareness training, incident response) | ~$120 | ~$3,000 |
| Total | ~$274 | ~$6,850 |
Compare that to a provider quoting $100 per user ($2,500/month for the same 25 users) and claiming to cover both. The $4,350 per month gap is not margin. It is labour, expertise, and operational capability that simply is not being delivered.
What to Ask Any Provider Quoting Under $150 Per User
If a New Zealand provider quotes you $100 to $120 per user and claims comprehensive IT and security coverage, put these questions to them:
- Is IT support and cybersecurity delivered by the same team, or separate specialist teams?
- Which cybersecurity framework do you align clients to, and can you show me where I sit against it?
- Is your own operation ISO 27001 certified?
- Who monitors security alerts outside business hours, and what is their response time SLA?
- Can you show me a documented incident response plan specific to my business?
- When was my last backup tested, and what is the recovery time objective?
The answers will tell you everything. Providers doing the work welcome these questions. Providers selling tools and hoping for the best will deflect.
Red Flags That Mean You’re Getting Less Than You Think
Overspending on managed IT does not always mean paying the highest price. It means paying for a service that does not deliver what it promises. These are the warning signs:
- No clear separation between IT support and security services on your invoice.
- No regular technical business reviews or security posture reporting.
- No alignment to a recognised cybersecurity framework like SMB1001.
- “Cybersecurity” means antivirus and a firewall, with no mention of SOC monitoring, threat hunting, or compliance.
- The provider cannot articulate their own internal security certifications.
- Backup recovery has never been tested in a live scenario.
If any of these apply, the $100 per user you are paying is not saving you money. It is deferring cost to the day something goes wrong.
Frequently Asked Questions
Usually not. Most Christchurch providers separate licensing costs for Microsoft 365, security tools, and line-of-business applications because these vary between organisations. This is actually a good sign of transparency. Providers who bundle everything into one opaque number make it harder to see where your money goes.
Reputable providers follow structured data retention policies, typically holding client data for 30 to 90 days before secure deletion. You should have full data ownership documented in your agreement from day one, including the format backups will be returned in and the timeline for handover. Negotiate exit provisions before signing, not after.
Some do. Many charge premium rates for it. At the $100 per user tier, after-hours coverage is frequently excluded or limited to critical outages only. Clarify the exact SLA before signing: what constitutes an emergency, what the response time is, and whether a human or an answering service picks up the phone.
Two to four weeks for most Christchurch businesses with 10 to 200 staff. The timeline covers network assessment, system documentation, security configuration, and user provisioning. Businesses with legacy systems or multi-site operations should expect the longer end of that window. We run parallel support during changeover so there is no gap in coverage.
Yes. Most providers. Not OxygenIT the only way to provide consistent delivery and security is to standardise across the organisation. Differences open the door to let hacker in to save a few dollars on an account. You are paying for the risk mitigation of the organisation not the individual user.
